I'm looking for an opensource tool to test for xss. (If something like that exists? Also what browser do you use, do you use IE, and if you do then what version do you use? I recently tried to do the xss-game.appspot.com but couldnlt get past level3. So I feel rather noob. Reading Web Hackers Handbook right now. Thanks for your input.

I'd recommend peeking at the WASSL (should keep you busy for a bit). Nikto is fairly popular. I've also used this site in a pinch (like from a mobile). Another good place to visit is the OWASP site. Lots of good info, including things like this.

What else. You can run a handful of different open source tools (and proprietary ones too for that matter) through Orvant's Securus product, including the above mentioned Nikto, plus OpenVas and W3af, to name a few more. The free account should cover enough to tinker with.

Oh, also Wapiti. Wa3f tests for a few more types of vuls than Wapiti, but I have found Wa3f is more error prone than Wapiti, plus the WebSpider discovery module isn't as precise as I would expect.

Downsides are the test is fairly synthetic and lately vendors (both open source and commercial) are writing their tools to the test. The upside is the test is fairly comprehensive, and writing tools to the test has increased real world effectiveness also.

Now, locating a likely XSS injection point and exploiting it are somewhat different. For actually excercizing the location you found, something like http://html5sec.org/ will be necessary. Sometimes the scanners will hand you a working demo, but often you have to work around the limitations of the location yourself using a big list of techniques like that.

I use ZAP Proxy which is similar to Burp Suite but a bit more user friendly. It has built in support for XSS payloads and you can highlight parts of the request you want to repeatedly resend with the different payloads. I always check in Firefox because for some reason it's the only browser without XSS filtering.